Sampson+ Your Authors @jonathansampson Building the web since the mid-90's. Regional Manager of The Office references. Former Microsoft engineer, Stack Overflow mod no. 4. Building @brave 🇧🇷🇺🇸 Aug. 24, 2019 2 min read + Your Authors

Curious what happens when you fire up a web browser for the first time? Me too. I often do this for @brave to make sure things are staying neat and tidy.

Today I would like to do it for a few other web browsers. First, let's take a look at Opera.

Launching Opera (and leaving it in its default state for a few minutes) resulted in the following calls being made.

Calls to opera and operacdn made sense. But 19 calls to  http://yandex.ru  was a surprise. Note also Amazon, FB, Walmart, Kayak, Ebay, Ali Express, and more.

Some of these are fairly heavy calls too; here's a subset ordered by their response size (descending). Overstock sets a dozen cookies. Amazon, Kayak, Ali Express, and more set me up with novel session IDs as well. Google is there too. Ready to monitor my movement across the Web.

On a fun note,  http://booking.com  apparently knew that we'd inspect their headers 😉

Back to Yandex though. Opera not only pings them, but informs them that I am setting up a new profile with Opera (via the referer header and query string). This header also goes to Facebook, Google, and hotjar. All of these now know that I am a fresh Opera user.

A closer look reveals that Opera is sending extra bits too, including my native resolution, browser window size, and a lot more. Unfortunately, it isn't clear what the other bits are representing. One parameter is called "gdpr" with a value of 14. I wonder what that one is.

Another call is made to  http://android.clients.google.com , and includes a unique user ID, as well as a distinct device and sender ID. Why is Opera sending this information to Google?

Just as a reminder, this is a fresh profile. No previous activity. And no activity taken beyond opening the browser up for the first time.

Ah, I forgot to mention the call to  http://walmart.com  over HTTP, which responds with a 301 redirect. AFAIK, that's an opportunity for trouble.

Compared to Opera, Vivaldi is very lightweight. Firing up a fresh profile in Vivaldi resulted in only 31 or so calls (most of which are to  http://vivaldi.com ).

This looks pretty standard. It downloads the SafeBrowsing database, some 835K extension, and a domain blacklist.

Unlike Opera, Vivaldi doesn't inform others that I am a fresh user (via the Referer header).

The extension they download appears to be for Chrome Cast. This, too, is expected for compat reasons. I'd say Vivaldi gets a clean bill of health based on this cursory glance. Nice job, @vivaldibrowser!

Note, again, that I am only reviewing the first-run experience. Not making any claims about how privacy/secure things are beyond that.


You can follow @jonathansampson.



Bookmark

____
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Since you’re here...

... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.


Follow Threader